Please note, this is a STATIC archive of website developer.mozilla.org from November 2016, cach3.com does not collect or store any user information, there is no "phishing" involved.

Content-Security-Policy

この記事は技術レビューを必要としています。ぜひご協力ください

この記事はまだボランティアによって 日本語 に翻訳されていません。ぜひ MDN に参加して翻訳を手伝ってください!

This is an experimental technology
Because this technology's specification has not stabilized, check the compatibility table for usage in various browsers. Also note that the syntax and behavior of an experimental technology is subject to change in future versions of browsers as the specification changes.

DRAFT

The Content-Security-Policy header fields allows web site administrators to control resources the user agent is allowed to load for a given page. With a few exceptions, policies mostly involve specifying server origins and script endpoints. This helps guard against cross-site scripting attacks.

To set a content security policy, add one or more policy directives to either of the response headers listed below. Alternatively, most policy directives can be used in a <meta> tag with the http-equiv attribute. If a policy directive is not defined, user agents will allow resources from anywhere.  The default-src directive overrides this behavior for a select number of other directives. See the policy directives page for more information.

Workers are in general not governed by the content security policy of the document (or parent worker) that created them. To specify a content security policy for the worker, set a Content-Security-Policy response header for the request which delivered the worker script itself.

The exception to this is if the worker script's origin is a globally unique identifier (for example, if its URL has a scheme of data or blob). In this case, the worker does inherit the content security policy of the document or worker than created it.

The HTTP response headers

This section lists the HTTP response headers that servers send back to specify allowed origins for page contents as defined by the Content Security Policy specification. 

CH-CSP

Indicates that a request is subject to a policy.

Content-Security-Policy

Specifies a page's content origins by resource type for enforcement by the user agent. This header may be used inside a <meta> tag.

Content-Security-Policy-Report-Only

Specifies a page's content origins by resource type for monitoring by the server. This header may not be used inside a <meta> tag.

Browser compatibility

Feature Chrome Firefox (Gecko) Internet Explorer Opera Safari
Basic support 41.0 (Yes) ? (Yes) ?
Worker support (Yes) 50 (50) ? ? ?
Feature Android Chrome for Android Firefox Mobile (Gecko) IE Mobile Opera Mobile Safari Mobile
Basic support No support ? ? ? ? ?

See Also

ドキュメントのタグと貢献者

 このページの貢献者: wbamberg, teoli, jpmedley, kscarfone
 最終更新者: wbamberg,